Someone once said that “Knowledge is power”. However, if you also add experience to knowledge you get a whole lot more. You know emails can be used by cybercriminals to steal data, but actually having the experience to say, “this is a spoof, I must not click that link”, is taking it to the next level up.
Using simulations of phishing emails as part of a wider security awareness training programme can reap big benefits for your business.
Let the Phishing Statistics Speak for Themselves
Why do we even need to run phishing simulations? Well, the statistics speak for themselves. Spear phishing, where users are specifically targeted by cybercriminals, is still the number one way that cybercriminal groups attack an organisation. And, according to Symantec, almost half of all email is spam. When you consider there were 124 billion business emails sent and received every day in 2018, that’s a lot of spoof emails to wade through and a lot of potential for disaster.
If we look at the success of phishing campaigns, it varies. Some are more successful than others. For example, a phishing campaign which targeted frequent flyers had a 90% email open-rate. Others are less successful. However, it only takes a single person in a company to open a scam email, then click on a link or open a malware-laden attachment, to infect the whole company.
In 2017, 76 percent of businesses were victims of a phishing attack.
What is a Phishing Simulation?
Phishing simulations are used to train your staff to spot the warning signs of a malicious email. Phishing simulations are based on typical phishing email templates that regularly turn up in our inboxes. A security awareness company that offers phishing simulations, creates a series of fake “phishing” emails that are tailored to your organisation. The fake phishing emails may be spoofs of spoofs but they closely mimic real phishing emails. So, for example, if you work in healthcare, the emails would simulate phishing emails most likely to be used to target that industry.
A good phishing simulation program will be automated so as to reduce your input and improve the ‘realness’ of the simulation. You would typically run the simulation service on a regular basis and modify it to reflect topical scams. The software that runs the simulation, sends out pre-configured “phishing” emails to staff to test their response. These emails can be tailored to the company, department, or even individual. The exercises are monitored, and the results show the effectiveness of the exercises – you can use these results to further tailor the sessions to improve them. The end goal is to train employees to spot if an email is legitimate or not.
Research has shown that 75% of security incidents are down to a lack of staff knowledge. Being prepared is being aware.
Typical Phishing Simulation emails
Phishing campaigns are based on a technique known as ‘social engineering’. This is a type of method that preys on our natural human behaviour. Behaviours that encourage us to click a link or open an attachment. For example, the spoof email may include a strong sense of urgency, such as a time limit on something that the user wants – click the link in the next two hours to get a free gift. Phishing simulations use the same techniques as real phishing emails use to trick your staff, building up their experience of phishing tricks.
Phishing Simulation Reports
Phishing simulation exercises should always give you feedback. The reports generated by a good phishing simulation tools should give you data on:
- The number of email opens?
- The number of users clicking links?
- The number of attachment opens?
- How many people report the email?
These data can then be used to assess how successful the training is and to modulate it, as necessary. It can also be a really useful tool to show department managers and C-Level executives how the company is fairing in terms of cybersecurity awareness.
Benefits of Phishing Awareness and Experience
The ultimate benefit of phishing awareness is the prevention of data breaches. However, there are other areas that phishing awareness touches upon:
- Compliance and training – there are a number of data protection and privacy regulations that now strongly encourage an organisation to carry our security awareness training, of which simulated phishing is a part of. These regulations include PCI and the GDPR.
- Increased threat activity reporting – simulated phishing as part of your security awareness training, will help to build your human-defences. Your staff becomes your castle moat. If you have a security policy that utilises simulated phishing, coupled with reporting procedures, you can build a strong security culture within your organisation.
- Reduced fraudulent activity – as your workforce becomes well-versed in spotting phishing attacks fraudulent activity will decrease.
- Brothers and sisters in arms – simulated phishing exercises based on gamification, can make security awareness training a fun thing to do. Everyone is involved. A team spirit in thwarting cybercrime can be cultivated. It not only makes the workplace safer but extends cybersecurity knowledge to an employee’s home life too. Phishing simulation exercises make everyone safer.
The use of phishing simulation exercises is another tool in the armoury used to fight cybercrime. It gives your employees and your company the know-how to stop phishers taking advantage of your organisation and its staff. Phishing simulation, alongside a wider security awareness program, is something that brings a workforce together. If the exercises are done in a fun and inclusive way, it can make tackling cybercrime interesting and create a real culture of security across your organisation.